Invalid JWT: Failed audience check.

[LuyuanLi97]

Hi! I genarated a JWT code with:
oauth2l fetch --type jwt --credentials my-service-account-file.json --scope firebase.messaging
Then request access_token with CURL like this:
curl -d 'grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer&assertion=<JWT_CODE> ' https://oauth2.googleapis.com/token
but got 400 Bad Request: Invalid JWT: Failed audience check.

And with the JWT code genarated from
oauth2l fetch --type jwt --credentials ./my-service-account-file.json --audience https://oauth2.googleapis.com/token, I got the 400 Bad Request error
"error": "invalid_scope", "error_description": "Invalid OAuth scope or ID token audience provided."

Are there any arguments that I missed?

[andyrzhao]

Hi there, please refer to https://github.com/google/oauth2l#jwt and https://developers.google.com/identity/protocols/oauth2/service-account#error-codes to help troubleshoot. A couple of observations and things to try based on your comment:

1. For JWT with scope (a relatively new feature), try using "cloud-platform" as the scope.
2. I'm not sure why you are running a separate curl command trying to exchange the jwt token you obtained. The JWT token should be used directly in place of an oauth access token for authentication with supported backends.
3. For JWT with audience (traditional route), your audience should be something like https://pubsub.googleapis.com/. Please replace with the canonical audience for firebase as needed.
   Thanks!